In August 2025, F5 learned that a highly sophisticated nation-state threat actor maintained long-term, persistent access to and downloaded files from select F5 systems. These systems included the BIG-IP product development environment and engineering knowledge management platforms. Accessed files contained some BIG-IP source code and information about undisclosed vulnerabilities in BIG-IP. While F5 is not aware of active exploitation of any undisclosed F5 vulnerabilities, they released updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients and strongly advise updating to these new releases as soon as possible.

Further information can be found in the MyF5 Security Incident article and Quarterly Security Notification, and a threat hunting guide is available from F5 Support. Google Threat Intelligence Group/Mandiant released a threat intelligence report regarding BRICKSTORM activity, which is linked to this operation and can also be used for threat hunting.

CISA released an emergency directive, ED 26-01: Mitigate Vulnerabilities in F5 Devices, and assesses that this cyber threat actor presents an imminent threat to networks using F5 devices and software. Exploitation of impacted F5 products could allow threat actors access to embedded credentials and API keys, perform lateral movement and data exfiltration, and establish persistent system access.

The NJCCIC advises updating the following F5 products as soon as possible after appropriate testing: BIG-IP, BIG-IP Next for Kubernetes, BIG-IQ, F5OS, APM client, and BNK/CNF (after validating the MD5 checksums for the software image files and other F5 downloaded software). Additionally, decommission any end-of-life/end-of-support devices.